Exploit-Me Firefox XSS and SQL scanning addon

One of the best tools we saw at LayerOne was the Exploit-Me series presented by [Dan Sinclair]. Security Compass created these tools to help developers easily identify cross site scripting (XSS) and SQL injection vulnerabilities.

XSS-Me is a Firefox add-on that loads in the sidebar. It identifies all the input fields on a page and iterates through a user provided list of XSS strings: opening new tabs and checking the results. When this process completes you get a report of what attacks got through, what didn’t, and what might have. The upcoming 0.3 version will use heuristics to determine what characters can be used and automatically skip attack strings that won’t get through.

The SQL Inject-Me works almost exactly the same way. It does require a little planning though: you need to tell it what you expect the results page to look like when an attack gets through.

The newest tool, Access-Me, surfs along with you while you’re authenticated to a website and checks whether you can see the same page unauthenticated.

6 thoughts on “Exploit-Me Firefox XSS and SQL scanning addon”

I saw Dan present this at CarolinaCOn this past year along with a friend of his named Sahba (I hope I spelled that right). It was a really interesting concept and led to some great questions from the audience.

Beware, when I clicked the link to download this firefox plug-in, it dumped a file called “xm86zte5.exe” on my desktop. I purged the file immediately. Not sure what it does but that was unexpected behaviour. This may be a malicious site.

@sb: All of the tools are open sourced so if you’re concerned with malicious activity you’re free to audit the tools as you want. We’ve been careful to remove anything that might be thought to track people. That’s why we don’t have any of the XSS attacks that reference external .js files included by default.

@hali: Out of curiosity, where did you download the .xpi file from? Are you trying to say that running the xpi added a file to your desktop or it somehow downloaded a secondary file?

The Exploit-Me files are .xpi files. They aren’t exe’s. They only run within Firefox.